+OIS-05.03B

1. Übersicht

OIS-05.03B

The cloud service provider integrates threat intelligence insights into its risk management process (cf. OIS-07, OIS-08 and OIS-09).

If a threat model is used for this process, the cloud service provider can, for example:

1. Use structured methodologies (e.g., STRIDE, PASTA, LINDDUN) appropriate to the cloud service architecture;
2. Map current threat landscape intelligence to specific system components, data flows, and trust boundaries;
3. Incorporate real-time threat intelligence to update threat models dynamically rather than relying on static annual assessments;
4. Consider emerging attack vectors, techniques, and procedures (TTPs) documented in frameworks such as MITRE ATT&CK; and
5. Account for supply chain and third-party risks through extended threat modelling.

The aim of threat modelling is to ensure that the current internal and external threats are reflected in risk handling measures.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html